According to an article by Kathleen A. Jackson, INTRUSION DETECTION SYSTEM (IDS) PRODUCT SURVEY, Version 2.1, Los Alamos National Laboratory 1999, Publication No. LA-UR-99-3883, Chapter 1.2, IDS OVERVIEW, intrusion detection systems typically attempt to detect computer misuse. Misuse is the performance of an action that is not desired by the system owner such as one that does not conform to the system's acceptable use and/or security policy. Typically, misuses take advantage of one or more of the following: vulnerabilities attributed to system misconfiguration; inadequately engineered software; user neglect or abuse of privileges; and, to basic design flaws in protocols and operating systems.
Intrusion detection systems typically analyse activities of internal and/or external users for explicitly forbidden and anomalous behaviour. They are usually based on the assumption that misuse can be detected by monitoring and analysing network traffic, system audit records, system configuration files or other data sources. See for example, the article by Dorothy E. Denning, IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. SE-13, NO. 2, February 1987, pages 222-232.
Available methods for detecting misuse by an intrusion detection system vary. Two intrusion detection methods are typically employed. These are described for example in    European patent application number EP 0 985 995 A1 and in U.S. Pat. No. 5,278,901.
The first method uses knowledge accumulated about attacks and looks for evidence of their exploitation. This method, which, on a basic level, can be compared to virus checking methods, is referred to as knowledge-based (also known as signature-based or pattern-oriented). A knowledge-based intrusion detection system therefore looks for patterns of attacks while monitoring a given data source. As a consequence, attacks for which signatures or patterns are not stored, will not be detected.
In the second method, a reference model is built. The model represents the normal behaviour or profile of the system being monitored and looks for anomalous behaviour, such as deviations from the previously established reference model. Reference models can be built in various ways. For example, in the article by S. Forrest, S. A. Hofmeyr, A. Somayaji and T. A. Longstaff, entitled “A Sense of Self for Unix Processes”, Proceedings of the 1996 IEEE Symposium on Research in Security and Privacy, IEEE Computer Society Press 1996, pages 120-128, normal process behaviour is modelled by short sequences of system calls. The second method is therefore generally referred to as behaviour-based, but also known as profile-based or anomaly-based. Behaviour-based intrusion detection, which assumes that the “behaviour” of a system will change in the event that an attack is carried out, therefore allows detection of previously unknown attacks, as long as they deviate from the previously established model of normal behaviour. Provided that the normal behaviour of the monitored system does not change, a behaviour-based intrusion detection system will remain up to date without having to collect signatures of new attacks.
However, precisely distinguishing “self” from potentially dangerous “others” (or “non-self”) and eliminating “others” is not easily accomplished, see, for example, the article by S. Forrest, S. A. Hofmeyr and A. Somayaji; Computer Immunology, University of N. Mex., Communications of the ACM, Mar. 21, 1996, page 3.
The behaviour of a system normally changes over time. The changes may be due to, for example, changes in activities of authorised users or installation of new or updated system elements. Thus, without immediate adaptation of the reference model, deviations from modelled behaviour will frequently be detected without any intrusions taking place. Behaviour-based intrusion detection systems therefore normally produce a higher number of false alarms or “false positives” deriving from non-threatening events.
In general, the designer of an intrusion detection system navigates between endangering the system with a flood of false alarms and jeopardising the monitored system with new attacks. As herein before described, conventional intrusion detection systems detect, but do not prevent, attacks. Intrusion detection does not therefore typically offer a complete security solution alone. An intrusion detection system, as one of several measures usually employed to protect an enterprise, typically delivers information contained in numerous alarm messages. These alarm messages are analysed to implement countermeasures against attacking systems. However, the analysis of the received alarm messages typically involves considerable processing effort and also incurs undesirable response delays.
Accordingly, it would be desirable to provide an improved method, a computer program element and a system for preventing intrusions into a monitored system such as a host computer.
In particular, it would desirable to provide a method and a system for efficiently utilising information provided by a behaviour based intrusion detection system to prevent further attacks, in particular buffer overflow attacks, using the same or different malicious codes.
Further, it would be desirable to provide a method and a system for preventing intrusions into a monitored system while practically avoiding the generation of potentially disturbing false alarms.
Still further, it would be desirable to provide a method and system that protect the monitored and further systems of a related network practically without delay against detected attacks.